Subprocessors
Last updated: April 2026 · Version 1.0
Data Controller: Anton Frederiksen, Tranced Media, CVR 46313585, Denmark, EU
Legal Basis: GDPR Article 28 (Processor) + Article 13(1)(f) (Disclosure of international transfers)
Contact for processor inquiries: contact@tranced.me
This page lists all third-party services that process personal data on behalf of Tranced as part of providing the Platform. Each entry names the processor, the role it plays, the jurisdiction in which it operates, and the safeguards in place for any cross-border transfer of personal data.
Where a processor is established outside the European Economic Area (EEA), we rely on one or more of: the EU-U.S. Data Privacy Framework (where the processor is certified), Standard Contractual Clauses (SCCs) approved by the European Commission, or both. The specific safeguard applicable to each processor is named below.
We update this page when we add, remove, or change a processor. Material changes (new processor handling sensitive categories of data, change of jurisdiction) are notified at least 30 days in advance via Platform notice or email.
1. Infrastructure and Storage
| Processor | Role | Jurisdiction | Safeguard |
|---|---|---|---|
| Supabase, Inc. | Database (PostgreSQL), authentication, file storage, realtime services. Stores all primary platform data: profiles, content metadata, companion conversations, subscriptions, Veil ledger, audit logs. | European Union (Frankfurt, eu-central-1) | EU data residency. Transfers to United States for support / engineering operate under SCCs. |
| Bunny.net (BunnyWay d.o.o.) | Content delivery network. Stores and serves video, audio, image, and thumbnail content. Edge caches across multiple regions. | European Union (Slovenia, primary), global edge network | EU controller. Data subject access available via Tranced. |
| Vercel Inc. | Application hosting, serverless function execution, edge runtime. Processes request payloads transiently. | United States (with EU edge regions) | EU-U.S. Data Privacy Framework certified. SCCs as fallback. |
| Upstash, Inc. | Redis cache for rate limiting, lockouts, and session-level state. Holds short-lived hashed identifiers and rate-limit counters; no long-term personal data. | United States (with EU regions used by Tranced) | SCCs. EU region selected for Tranced workloads. |
2. Payments
| Processor | Role | Jurisdiction | Safeguard |
|---|---|---|---|
| CCBill, LLC | Card processing, subscription billing, refunds, chargeback handling, consumer self-service portal. Holds full payment card data; Tranced does not. | United States | PCI DSS Level 1. SCCs for transfer of customer email + transaction metadata. CCBill is itself the controller of card data, not a processor for that subset. |
For details on what payment data Tranced does and does not hold, see Billing Policy section 1.
3. Age and Identity Verification
| Processor | Role | Jurisdiction | Safeguard |
|---|---|---|---|
| Yoti Ltd | Age verification before access to explicit content (per EU DSA Article 28). Receives the user's submitted ID or biometric estimation; returns only pass/fail and age band to Tranced. Tranced does not see the underlying ID document or biometric data. | United Kingdom | UK GDPR adequacy decision (EU recognises UK as providing adequate protection). Yoti acts as independent controller of the ID data, processor for the verification result. |
4. AI and Companion Services
| Processor | Role | Jurisdiction | Safeguard |
|---|---|---|---|
| Together AI, Inc. | Inference for the Llama-family language models that power companion chat. Processes the system prompt, the user message, and a window of recent context per request. Together does not retain inputs by default. | United States | SCCs. Together's policy commits to non-retention of API inputs; we do not enable any opt-in retention features. |
| Anthropic, PBC | Inference for Claude (used as fallback / for highest-weight generation). Processes the same per-request payload as above. | United States | SCCs. EU-U.S. Data Privacy Framework certified. |
| OpenAI, OpCo, LLC | Content moderation classification (whisper moderation, image moderation pipeline). Processes uploaded text or image hashes per moderation request. | United States | SCCs. EU-U.S. Data Privacy Framework certified. |
| Atlas Cloud, Inc. | Image generation (Flux Schnell / Flux Pro / Imagen 4 Ultra) and video generation (wan-2.6). Processes the prompt; returns generated media. No user identifiers transmitted. | United States | SCCs. Prompts contain no direct user identifiers; provider sees only the rendered prompt text. |
| ElevenLabs, Inc. | Text-to-speech for companion voice features. Processes the text to be spoken; returns audio. No user identifiers transmitted. | United States | SCCs. EU-U.S. Data Privacy Framework certified. |
AI inference processors are a particularly sensitive category because companion conversations may contain personal narratives. We do not allow any AI subprocessor to retain inputs for training. If a processor changes its retention policy, we evaluate the change and may switch providers; you are notified of any such change as a material update to this page.
5. Communications and Support
| Processor | Role | Jurisdiction | Safeguard |
|---|---|---|---|
| Resend, Inc. | Transactional email delivery (account confirmation, password reset, billing receipts, renewal reminders, age-verification confirmations, deletion confirmations, creator first-email). Processes recipient email + message body. Per Privacy Policy, email is bare-bones transactional only; no marketing. | United States | SCCs. EU-U.S. Data Privacy Framework certified. |
6. Observability and Security
| Processor | Role | Jurisdiction | Safeguard |
|---|---|---|---|
| Sentry (Functional Software, Inc.) | Error and exception tracking. May incidentally process request metadata, stack traces, and limited user identifiers (email, user id) when an error occurs. Does not process content of companion conversations or media files. | United States (EU region selected for Tranced) | SCCs. EU data region. PII scrubbing enabled where supported. |
7. What Tranced Does NOT Use
For transparency, the following common categories of subprocessor are not in our stack:
- Third-party advertising networks (no ads on Platform)
- Cross-site tracking pixels (no Facebook Pixel, Google Analytics, TikTok Pixel)
- Remarketing or audience-syncing services
- Data brokers or audience-enrichment services
- Push notification providers (we explicitly send no push notifications)
- Marketing automation platforms (no Mailchimp, no HubSpot, no engagement-email tooling)
8. International Transfers Summary
The majority of personal data is stored within the European Union (Supabase EU, Bunny.net EU primary). Cross-border transfer occurs in two scenarios:
- Operational: Vercel hosting and certain processors are US-based; the request payload transits to their US infrastructure for processing. Volumes are minimised by edge-region selection.
- Inference: AI subprocessors are US-based. Per-request payloads transit for inference; outputs return. We do not enable retention for training.
All such transfers occur under one or both of: EU-U.S. Data Privacy Framework certification, or EU Standard Contractual Clauses (SCCs) approved by the European Commission. The specific mechanism per processor is named in the tables above.
9. Your Rights
Under GDPR you have the right to know who processes your personal data and on what basis. This page exists to satisfy that right transparently and in advance, rather than only on individual request.
You may request additional details on any specific processor relationship, including a copy of the relevant SCC text or DPF self-certification reference, by emailing contact@tranced.me with the subject "Subprocessor Inquiry".
For all other GDPR rights (access, correction, deletion, portability, objection), see Privacy Policy section 7.